Merge branch 'issue_15394' into 'master'

Sanitize milestones and labels titles fixes #15394 See merge request !4046

Merge branch 'issue_15394' into 'master'
Sanitize milestones and labels titles fixes #15394 See merge request !4046
0c2bb8d1 · Rémy Coutable · 8dd2188b · 32811d98 · 0c2bb8d1 · 0c2bb8d1
Commit 0c2bb8d1 authored May 09, 2016 by Rémy Coutable
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -21,6 +21,7 @@ v 8.8.0 (unreleased)
  - Update SVG sanitizer to conform to SVG 1.1
  - Updated search UI
  - Display informative message when new milestone is created
+  - Sanitize milestones and labels titles
  - Allow "NEWS" and "CHANGES" as alternative names for CHANGELOG. !3768 (Connor Shea)
  - Added button to toggle whitespaces changes on diff view
  - Backport GitHub Enterprise import support from EE

--- a/app/models/label.rb
+++ b/app/models/label.rb
@@ -117,6 +117,10 @@ def text_color
    LabelsHelper::text_color_for_bg(self.color)
  end

+  def title=(value)
+    write_attribute(:title, Sanitize.clean(value.to_s)) if value.present?
+  end
+
  private

  def label_format_reference(format = :id)

--- a/app/models/milestone.rb
+++ b/app/models/milestone.rb
@@ -129,6 +129,10 @@ def author_id
    nil
  end

+  def title=(value)
+    write_attribute(:title, Sanitize.clean(value.to_s)) if value.present?
+  end
+
  # Sorts the issues for the given IDs.
  #
  # This method runs a single SQL query using a CASE statement to update the

--- a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
@@ -43,7 +43,7 @@
      milestone.update_attribute(:title, %{"></a>whatever<a title="})

      doc = reference_filter("milestone #{reference}")
-      expect(doc.text).to eq "milestone #{milestone.title}"
+      expect(doc.text).to eq "milestone \">whatever"
    end

    it 'includes default classes' do

--- a/spec/models/label_spec.rb
+++ b/spec/models/label_spec.rb
@@ -55,6 +55,14 @@
    end
  end

+  describe "#title" do
+    let(:label) { create(:label, title: "<b>test</b>") }
+
+    it "sanitizes title" do
+      expect(label.title).to eq("test")
+    end
+  end
+
  describe '#to_reference' do
    context 'using id' do
      it 'returns a String reference to the object' do

--- a/spec/models/milestone_spec.rb
+++ b/spec/models/milestone_spec.rb
@@ -34,6 +34,14 @@
  let(:issue) { create(:issue) }
  let(:user) { create(:user) }

+  describe "#title" do
+    let(:milestone) { create(:milestone, title: "<b>test</b>") }
+
+    it "sanitizes title" do
+      expect(milestone.title).to eq("test")
+    end
+  end
+
  describe "unique milestone title per project" do
    it "shouldn't accept the same title in a project twice" do
      new_milestone = Milestone.new(project: milestone.project, title: milestone.title)